Your recruitment agency does not just forward CVs. It moves candidate data across clients, tools and teams.
From job portals, LinkedIn, WhatsApp and email to ATS tools, Excel trackers, client hiring managers, background-verification vendors and old candidate databases — recruitment agencies handle personal data at every step. This 3-minute scan shows where DPDPA exposure may arise.
Most recruitment agencies don't have a CV-collection problem — they have a candidate-data movement problem.
Your candidate-data risk map
The free scan scores your agency across these five areas. Here is what each one looks at.
Candidate sourcing risk
Naukri/LinkedIn/Indeed, WhatsApp referrals, walk-ins, scraped public profiles, reused old databases and client-provided lists.
First move: Define approved sourcing channels, avoid unmanaged scraping, and give candidates a clear notice of how their profile is used.
Candidate document risk
CVs, PAN/Aadhaar, salary slips, bank details, BGV records, psychometric scores and health/diversity data.
First move: Collect high-impact documents only when needed, with stronger access and retention controls.
Client sharing risk
CVs forwarded by email/WhatsApp, bulk CV folders, Excel trackers, or clients given access to your ATS/database.
First move: Share only relevant shortlisted profiles through controlled channels; avoid bulk folders and uncontrolled forwarding.
ATS, tool & access risk
ATS, Excel trackers, Drive folders, email, WhatsApp, recruiter laptops, BGV vendors and AI screening tools.
First move: Map where candidate data sits, restrict access, and remove ex-recruiter and freelancer access promptly.
Retention & rights readiness risk
Rejected/inactive CVs, phone numbers, salary details and documents kept for years for 'future roles'.
First move: Define a retention + deletion schedule and a clear way for candidates to correct, delete or withdraw.
How the 3-minute scan works
Answer 10 quick questions
About candidate sourcing, documents, client sharing, ATS access, retention and candidate rights. ~3 minutes.
See your readiness score + risk map
A 0–100 DPDPA readiness score, your risk band, and five recruitment-specific risk areas.
Get your priority fixes + checklist
The five controls to start with, plus the Recruitment Agency DPDPA Starter Checklist.
What the scan checks
Ten plain-English questions across your real candidate-data workflows.
Recruitment agency DPDPA questions
Does the DPDPA apply to recruitment agencies?
Yes. Recruitment agencies process personal data of candidates — names, contact details, CVs, experience, salaries, and identity documents — making them Data Fiduciaries under the Digital Personal Data Protection Act, 2023. Compliance obligations apply regardless of agency size.
Do we need consent before sharing a candidate's CV with a client company?
Yes. Sharing a candidate's CV with a client is a disclosure of personal data to a third party. Under DPDPA, you must have valid consent from the candidate that covers this purpose. The consent notice must clearly state that CVs may be shared with prospective employers.
How long can we keep candidate data in our ATS after a placement or rejection?
DPDPA requires data to be deleted once the purpose for which it was collected is fulfilled. For candidates not placed, a reasonable retention window is 12–24 months for potential future roles, after which data should be erased unless the candidate opts in to remain in your database.
Are background check documents like Aadhaar and PAN copies covered under DPDPA?
Yes. Aadhaar numbers and PAN details are personal data under DPDPA. Recruitment agencies must collect only what is necessary for the specific check, store it securely with restricted access, and delete it once the verification purpose is complete.
What should we do if a candidate asks to erase their data?
Under Section 13 of the DPDPA, candidates have the right to erasure of personal data no longer needed for the purpose it was collected. You must acknowledge the request, verify identity, and erase the data unless retention is required by law. A documented process with a response timeline is recommended.
Take the free scan
10 questions · 3 minutes · free · no login. Get your agency's DPDPA readiness score.
Start Recruitment Risk Scan →Related Briefings
Need advice?
Request Consultation →Legal baseline: DPDP Rules, 2025 notified on 14 November 2025, with phased commencement.
This page is for educational purposes and does not constitute legal advice.